Passwordless Future: A New Approach to Cybersecurity and Data Privacy
We explore the vulnerabilities of passwords and the promise of a passwordless future.
Passwords have been a part of our lives long before the digital era. From garage doors to luggage locks, passwords or codes have been a simple yet fundamental method of securing our belongings. One essential component of that security, however, was the requirement of proximity – anyone wanting to input a password into the lock had to be within the immediate proximity of the device. Digital passwords require no such proximity.
The Vulnerability of Digital Passwords
Digital assets are accessible globally. This openness invites anonymous attempts from all corners of the world, challenging the security of these assets. Given the ease with which simple passwords can be breached by today’s cybercriminals, and the various methods those same cybercriminals have to do so, we have an immediate need for increased complexity and modernization in our password system.
Major Shortcomings of Passwords
In this episode, we take digital passwords as they are, rather than as we would hope them to be (for the most part). Digital passwords, thus, have numerous shortcomings. Most of those shortcomings, sad to say, are because of you, the user.
1. Simple Passwords
Simple passwords are vulnerable to brute force attacks, where attackers use computational power to try every possible combination. Online systems may have measures to prevent such attacks, but offline files protected by passwords remain highly vulnerable. Hackers also have many tools at their disposal, from data breach files to your personal Facebook page, to help them crack your simple passwords.
2. Reusing Passwords
The habit of reusing passwords, even complex ones, across multiple platforms poses a significant risk. As we have pointed out in numerous prior episodes, in the event of a data breach, where a list of usernames and passwords is leaked, the reuse of these credentials across different platforms can lead to a domino effect, compromising multiple accounts.
This practice effectively hands over a ‘master key’ to our digital lives, making us vulnerable to widespread account breaches. Credential stuffing attacks are a prime example of this vulnerability, where attackers use previously exposed passwords to gain unauthorized access to multiple accounts.
Real-World Implications: The 23andMe Breach
A case study we discussed was the 23andMe breach, where approximately 14,000 accounts were compromised because of password reuse by the users. This incident underscored the importance of unique passwords, as reusing them can lead to a chain reaction of breaches across various services.
3. Incremental Password Changes
When you change a password, changing an “S” to “$” or “I” to “!” is not an effective change. Unfortunately, a lot of people seem to find it to be an easy way to update a password that they are required to change, or to modify a favorite password to comply with requirements for including a number or symbol. However, tools to detect those changes have been widely used by the hacker community for over a decade, and it is trivial for a hacker to adapt to the change, providing effectively no additional security.
4. You Can Give Them Away
You might be surprised to hear this, but all the hacks we’ve talked about thus far in this episode all involve “authorized access” by the hacker. That’s right – they log in with your credentials and, regardless how they were obtained, their presence in whatever system they’ve gotten into is technically authorized. By you. One of the most dangerous aspects of using a login and password for access to secret or personal information is your ability to simply give them away.
When a hacker targets you with a spear phishing email or text, they’re usually trying to get you to give them your login and password. Their tools exist simply to provide you with a compelling reason for you to provide the hacker with that information. The best of those tools makes it so you don’t have the slightest clue that that’s what you’re doing.
Phishing attacks have become more sophisticated, making it increasingly challenging to distinguish between legitimate and fraudulent communications. The use of AI in crafting convincing phishing emails was noted as a particularly concerning development. These deceptive techniques lead people to willingly hand over their credentials, thinking they are interacting with a legitimate site.
Strategies to Combat Password Vulnerabilities
So, what is the average person to do in this day and age to protect their passwords? Well, as we’ve discussed numerous times before, there are simple (and some not-so-simple) steps you can take to limit or eliminate the vulnerabilities in your passwords.
1. Use Complex and Unique Passwords
Create more complex passwords, incorporating a mix of upper and lowercase letters, numbers, symbols, and, importantly, length. Lengthy passwords or passphrases can be more secure than shorter, complex passwords due to the increased difficulty in cracking them. Where possible, consider using a pass phrase instead of a traditional password. Even without symbols or numbers, the sheer length of a four-word passphrase is dramatically more secure than the most complex 16-digit password.
2. Rotate Your Passwords
Regularly changing passwords is important, especially for critical accounts. With the vast number of accounts most people have, this task can be daunting, but it’s essential for maintaining security. The podcast emphasized the necessity of avoiding incremental changes when updating passwords, as predictable patterns can be easily exploited by AI and automated systems used by cybercriminals.
Editor’s Note: There is significant disagreement in the cybersecurity world over this particular instruction. While Ryan believes that this is an important password hygiene tool, Brian believes that it ignores the basic reality that if you require humans to rotate numerous passwords at short intervals, users will inevitably rely on passwords that are 1) weak, 2) re-used, 3) only an incremental change from a previous password, or 4) two or more of the above. What is not in dispute is that passwords should always be changed when there is evidence that the password has been compromised, or immediately upon termination of a user’s employment or access to a particular account.
3. Use a Password Manager
For those struggling with the task of creating and remembering multiple unique passwords, password managers were suggested as a practical solution. These tools can generate and store long, complex passwords for numerous accounts, simplifying password management.
Password managers function like a digital address book for passwords. This approach not only simplifies password management but also significantly enhances security by eliminating the need for physical notes or the risky practice of using common passwords across multiple sites. Just make sure that you use a strong, unique master password.
Further Reading: The 6 Best Password Managers for Individuals and Families in 2023
4. Embrace Multi-Factor Authentication (MFA)
MFA involves combining two or more authentication factors: something you know (like a password or PIN), something you have (like a security token or mobile device), and something you are (like a fingerprint or facial recognition). The implementation of MFA adds a significant layer of security, making it much more difficult for unauthorized individuals to access accounts.
5. Utilize Resources Like ‘Have I Been Pwned’
The website ‘Have I Been Pwned’ is a valuable resource in protecting your passwords and data. Created by security researcher Troy Hunt, this platform aggregates data from major breaches and allows users to check if their accounts have been compromised. In case of a breach, immediate action, like changing passwords for the affected account and other accounts where the same password was used, is crucial to prevent credential stuffing attacks.
Business Strategies for Password (and Passwordless) Security
Businesses also have a role to play in enhancing password security. There are many things that a business can implement that will dramatically improve password security and overall data security, including:
1. Risk Profiling
Identifying and flagging accounts accessed from unusual locations to prevent unauthorized access. While this practice is a few steps shy of utilizing some of the single-sign-on methods described below, it will help to identify credentials that may have been compromised by identifying a pattern of misuse.
The potential downsides of this system include the tedious nature of evaluating the locations from which accounts are accessed, particularly in this era of remote work, and the tedious nature of actually determining which flagged accounts were being accessed legitimately, depending on the size of your organization and the nature of your business.
2. Password Policies
Implementing policies that enforce complexity and regular rotation of passwords, and restrict the use of commonly used passwords. Bear in mind what we mentioned earlier as far as password rotation.
For more information on Password Policies, check out this post.
3. Single Sign-On (SSO) Systems
Single Sign-On Systems allow users to access multiple accounts based on the authentication from one centralized system. This can be a localized authentication system, provided by a company like Okta, or it can be as simple as utilizing your Google account to access your social media profiles.
While SSO systems reduce the number of passwords an individual needs, they must be secured with strong multifactor authentication and risk profiling to ensure they don’t become a single point of failure.
4. Emphasizing Phishing-Resistant Multifactor Authentication
Multi-factor authentication is a great way to improve your data security, but to get the most out of it, your MFA solution needs to be phishing-resistant. SMS-based MFA has been proven to be highly susceptible to compromise, limiting its security value, particularly in highly targeted attacks. Options like app-based authenticators, certificate-based authentication, or hardware tokens provide an additional layer of security beyond standard password protection. These methods are harder for attackers to compromise compared to more traditional forms of authentication.
The Rise of Passwordless Systems
Can’t we just find something better and get rid of these passwords already?
Well, not yet, but “passwordless” systems are increasingly becoming a reality, offering a more secure and user-friendly approach to authentication security. In these systems, the authentication process begins with a username, followed by alternative forms of verification rather than a traditional password. This shift is becoming more common among various service providers.
Biometrics as a Key Component
Biometrics has been identified as a crucial element in passwordless systems. The use of facial recognition or thumbprints for authentication is already being implemented in various applications, including banking, taxation, and social media. This method eliminates the need for users to remember and enter passwords, enhancing both security and convenience.
Additional Authentication Methods in Passwordless Systems Other methods that support passwordless authentication include:
- Certificates for Known Machines: In organizational settings, certificates can be used to authenticate access from specific, known machines, adding a layer of security for business-issued computers.
- App-Based Authentication: Instead of password prompts, users can authenticate using a common authenticator app, which may require a six-digit code or a push-level check.
- Hardware Tokens and Keys: We have expressed a preference for devices like YubiKeys or FIDO2 keys, which use a PIN and a unique, touch-protected rotational code, but there are many quality options available. These physical tokens must be in the user’s possession for access, significantly reducing the risk of phishing attacks.
While the transition to passwordless systems is underway, however, the importance of good password hygiene and employing robust security measures in the interim cannot be overstated. The growing sophistication of cyber threats makes the shift towards passwordless systems imperative. Until such systems become the norm, the combination of traditional password security, enhanced with modern tools and practices, remains essential for safeguarding digital information and assets.
We’re here to help make the complex language of cybersecurity understandable. So if there are topics or issues that you’d like Ryan and I to break down in an episode, send us an email at email@example.com or reach out to us on Facebook or LinkedIn. For more information about today’s episode, be sure to check out Fearless Paranoia.com where you’ll find a full transcript as well as links to helpful resources and any research and reports discussed during this episode. While you’re there, check out our other posts and podcasts as well as additional helpful resources for learning about cybersecurity.
- Resilience Cybersecurity & Data Privacy
- 8 Useful Small Business Cybersecurity Tips You Need to Know – Resilience Cybersecurity & Data Privacy
- Generative AI fueling significant rise in cyberattacks – CSO Online
- There is a Ransomware Armageddon Coming for Us All – The Hacker News
- Malicious hackers are weaponizing generative AI – InfoWorld
- ChatGPT Used to Develop New Malicious Tools – infoSecurity
- MFA Spamming and Fatigue: When Security Measures Go Wrong – The Hacker News
- CISA Publishes Multi-Factor Authentication Guidelines to Tackle Phishing – infoSecurity Group
- A Secure User Authentication Method – Planning is More Important than Ever – The Hacker News
- Why we all Need a Password Manager – Imperva
- 5 Password Manager Perks You Might Not Be Using – WIRED
- Deep Web vs. Dark Web: What is the Difference? – Norton
to make cybersecurity understandable, digestable, and guide you through being able to understand what you and your business need to focus on in order to get the most benefit for your cybersecurity spend.
©2024 Fearless Paranoia